Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Microsoft details Windows 8 for ARM devices
Web app lets enterprise set security, sharing for Google Apps users
Cloudscaling to offer OpenStack private cloud platform
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
Resume Makeover: How an Information Security Professional Can Target CSO Jobs
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
/

Avoiding future denial-of-service attacks

Today's breaking news
Send to a friendFeedback

By Denise Pappalardo
Network World, 02/21/00

ISPs have a technique that could be used to choke off denial-of-service Web attacks, but it's not clear if business users will benefit from it any time soon.

By using address source filtering at edge routers, ISPs could prevent large numbers of "fake" IP packets from flooding targeted sites. In the near term, filtering is the only solution to prevent denial-of-service attacks on a large scale, says John Pescatore, a research director at Gartner Group, a Stamford, Conn., consulting firm.

While most ISPs agree filtering could nearly eliminate the assaults, they are hesitant to install the safeguard because of the heavy price and uncertainty about the longevity of the fix.

Filters, which have to be deployed on routers at the edge of the network, enable an ISP to drop packets that have unfamiliar source addresses. PSINet, for example, would examine packets coming in from a customer site and drop them if they had addresses assigned to UUNET or were otherwise unknown.

Hackers typically use fraudulent IP addresses, either lifted from unknowing Internet users or simply made up, to make it harder for investigators to discover where attacks are coming from.

Address source filtering will likely reduce the number of denial-of-service attacks by making this common first step difficult to pull off and easier to trace, says Chuck Davin, vice president and chief technical officer at PSINet.

So why aren't ISPs using filtering? The primary reason is performance will suffer, says Kelly Cooper, Internet security officer at GTE Internetworking. "Filtering at the edge of the network will take significant amount of router processing power."

PSINet's Davin likens it to putting police officers at the entry of every highway and having them check the license of every driver to make sure they are who they say they are.

To overcome the congestion, ISPs would have to deploy more packet-handling horsepower. "The bottom line is that the responsibility is on the ISPs and Web-hosting companies to strengthen their infrastructures," Gartner's Pescatore says. "They don't want to because it would require more routers, larger switches, etc., to maintain the same performance."

While source filtering can combat denial-of-service at-tacks, it's possible hackers could change their ways and effectively sidestep the expensive fix. Some ISPs, such as PSINet and GTE Internetworking, are considering setting up filters, but none have committed to deploying the technology.

UUNET's Mark Krause, senior manager of infrastructure security, says it's not so much a cost issue as a question of getting more powerful hardware and software that can handle the load without degrading network performance.

UUNET and GTE Internetworking are working with Cisco to develop a more advanced technique for dropping invalid traffic. GTE Internetworking is already using Cisco's reverse path forwarding (RPF) protocol to compare IP traffic with routing tables to ensure the packet is coming from the correct network. But today, RPF cannot be used with customers that use more than one ISP for access, which is becoming more common. RPF is believed to be less draining on routers.

While ISPs are waiting for more-advanced filtering methods, the ISPs interviewed by Network World say business users must shoulder some of the burden. The carriers are working with customers to set up filtering and intrusion-detection software to help prevent hackers from capturing machines to launch attacks.

Authorities pursing the attackers say the servers they used belonged to users that had no idea their resources were being used to launch attacks.

Clearly something has to be done, because the stakes are so high. The attacks on Yahoo, eBay, Amazon.com and E*Trade earlier this month cost approximately $1.2 billion, according to The Yankee Group, a Boston consulting firm. This figure comes from estimating lost revenues, loss in market capitalization due to falling stock prices and how much money will be spent on upgrading security systems.

Ultimately the carrier that offers a solution to the problem may have a competitive advantage over rivals.

RELATED LINKS

Related links

Research: Denial of Service
Links to additional background, articles and other resources from Network World and around the 'Net.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.